FAQs

1. What is Talis Keystone?

Talis Keystone is a Services Oriented Architecture (SOA) middleware layer which is deployed into the institution and delivers services to and from the LMS via industry standard Web Services.

Talis Keystone provides an integration platform which delivers features, functionality and data initially from the core Talis Library Management System to other systems in the rest of the public or academic institution; such as the student portal or council web site, the finance system or CRM system.

2. What APIs does Talis Keystone support?

Talis Keystone supports the SOAP and the REST API.

3. Why do I need the toolkit?

The toolkit enables developers to consume Talis Keystone Web Services without getting involved with the lower level details of Web Services, HTTP, XML, SOAP and REST. This means you can rapidly integrate your library system with other applications with minimum effort.

4. What languages do the toolkits support?

Currently, you can download the toolkit for the Java and the C#.NET environments.

5. Where can I find the WSDL file?
You can find the WSDL file at http://sandbox.talis.com/TalisKeystone/ViewMyAccountSOAPService/TalisKeystoneViewMyAccount.wsdl

6. Intermittent problem with Single Sign-On

Summary: Talis Keystone – Single Sign-On when Talis Keystone is deployed on a different system to the Prism instance which is being linked to via Single Sign-On.

Question: There is an intermittent problem with the Single Sign-on link delivered from Talis Keystone. Sometimes borrowers are not automatically logged into Talis Prism and are prompted for their library credentials. Is this a defect in either Talis Prism or Talis Keystone? Are there any solutions or work-arounds to this.

Answer:
This is only relevant to a system where Talis Keystone is deployed on a different system to the Prism instance which is being linked to via Single Sign-On. The problem is caused by the system clocks of the two systems not being in sync. This is an infrastructural issue and not a software defect in either Talis Keystone or Talis Prism.

To answer this fully an explanation is required of how single sign-on (SSO) in Talis Keystone works:

When the SSO link is requested from Talis Keystone via the Web Service request, the system creates a token based upon:

• The current system time - which is added to:
• The configurable time for the token to timeout
• The id of the borrower

This token is created to a very specific format understood by Talis Prism and then it is encrypted. The encrypted token is then added to the end of the configurable Talis Prism server URL. Talis Keystone returns this SSO link to the client via the Web Service response.

When the link into Talis Prism is activated (for example by the user accessing the link in the campus portal) the token is passed to Talis Prism which then decrypts it. The token is then analysed by Talis Prism:

• The current system time of the Talis Prism system is established
• If the token timestamp passed is greater than the Prism current system time then the token has not timed out and the user is automatically signed-in.
• If the token timestamp passed is less than the Prism current system time then the token has timed out and the user is NOT automatically signed-in and they are prompted for their library credentials

The key part of this work flow is that the Talis Keystone server and the Talis Prism server have the same system time. If the system time is different between these systems then the token timeout will be affected. To use an couple examples to illustrate this:

Example 1 – Single Sign-On Working

Say at the time the SSO link is requested from Talis Keystone the system time of the Talis Keystone server is 10am and the token timeout is configured to be 15 minutes. The SSO token will work until 10:15.

If the system time of the Talis Prism system is also 10:00 then when the link is activated as say 10:08 by a user the token will still be active for another 7 minutes and so the borrower will be automatically signed in. If the link is activated by the borrower at 10:16 then the token will have timed-out and the borrower will not be automatically signed-in.

Example 2 – Single Sign-On NOT Working
Say at the time the SSO link is requested from Talis Keystone the system time of the Talis Keystone server is 10am and the token timeout is set to 15 minutes. The SSO token will work until 10:15.

If the system time of the Talis Prism system is 11:00 then when the link is activated as say 10:08 by a user the token will be passed to the Prism system but because the system clock is one hour ahead Talis Prism will ‘think’ the token timed-out 52 minutes previously and the borrower will not be automatically signed-in.

Solutions:

• The recommended solution is to ensure that the system times of the Talis Keystone system and the Prism system which is being SSO to are in sync.
• An alternative solution (work around) is to configure the SSO link to go a Prism instance which is on the same system as Talis Keystone, guaranteeing the system times will always be the same.

Related consideration
The reason this can also be intermittent is due to Apache load balancing. If the SSO link is configured to go to a Talis Prism system which has the same system time then SSO will work, but if the link goes via Apache load balancing and the system is under heavy load the session will be directed to the secondary load balanced machine. If this secondary load balanced machine has a different system time as described above then SSO will not work; this is why it can be perceived as intermittent.